an analysis of the witty outbreak: exploiting underlying structure for detailed reconstruction of an...
Post on 21-Dec-2015
217 views
TRANSCRIPT
An Analysis of the Witty Outbreak: Exploiting Underlying Structure for
Detailed Reconstruction of an Internet-scale Event
Abhishek Kumar (Georgia Tech)
Vern Paxson (ICSI/CCIED)
Nicholas Weaver (ICSI/CCIED)
November 11, 2005
Proc. ACM Internet Measurement Conference 2005 /
WORM 2005
Enhancing Telescope Imagery
NGC6543: Chandra X-ray Observatory Center (http://chandra.harvard.edu)
The “Witty” Worm
• Released March 19, 2004.• Exploited flaw in the passive analysis of
Internet Security Systems products• Worm fit in a single Internet “packet”
– Stateless: When scanning, worm could “fire and forget”
• Vulnerable pop. (12K) attained in 75 minutes.• Payload: slowly corrupt random disk blocks.• Flaw had been announced the previous day.• Written by a Pro.
What Exactly Does Witty Do?
1. Seed the PRNG using system time.2. Send 20,000 copies of self to randomly
selected destinations.3. Open physical disk chosen randomly
between 0 .. 7.4. If success:5. Overwrite a randomly chosen block on
this disk.6. Goto line 1.7. Else:8. Goto line 2.
Witty Telescope Data
• UCSD telescope recorded every Witty packet seen on /8 (224 addresses).– But with unknown losses
• UWisc telescope recorded every 10th Witty packet seen on /8.– Also w/ unknown losses
• In the best case, we see ≈ 4 of every 1000 packets sent by each Witty infectee.
? What can we figure out about the worm?
Generating (Pseudo-)Random Numbers
• Linear Congruential Generator (LCG) proposed by Lehmer, 1948:
Xi+1 = Xi*A + B mod M
• Picking A, B takes care, e.g.:A = 214,013B = 2,531,011M = 232
• Theorem: the orbit generated by these is a complete permutation of 0 .. 232-1
• Another theorem: we can invert this generator
srand(seed) { X seed }rand() { X X*214013 + 2531011; return X }
main()1. srand(get_tick_count());2. for(i=0;i<20,000;i++)
3. dest_ip rand()[0..15] || rand()[0..15]
4. dest_port rand()[0..15]
5. packetsize 768 + rand()[0..8]
6. packetcontents top-of-stack7. sendto()
8. if(open_physical_disk(rand()[13..15] ))
9. write(rand()[0..14] || 0x4e20) 10. goto 1 11. else goto 2
What Can We Do Seeing Just4 Packets Per Thousand?
• Each packet contains bits from 4 consecutive PRNGs:3. dest_ip rand()[0..15] || rand()[0..15]
4. dest_port rand()[0..15]
5. packetsize 768 + rand()[0..8]
• If first call to rand() returns Xi :3. dest_ip (Xi)[0..15] || (XI+1)[0..15]
4. dest_port (XI+2)[0..15]
• Given top 16 bits of Xi, now brute force all possible lower 16 bits to find which yield consistent top 16 bits for XI+1 & XI+2
Single Witty packet suffices to extract infectee’s complete PRNG state! Think of this as a sequence number.
Cool, But So What?
• E.g., Individual Access Bandwidth Estimation– Suppose two consecutively-observed packets
from source S arrive with states Xi and Xj
– Compute j-i by counting # of cranks forward from Xi to reach Xj
– # packets sent between the two observed = (j-i)/4– sendto call in Windows is blocking– Ergo, access bandwidth of that infectee should be
(j-i)/4 * size-of-those-packets / T
– Note: works even in the presence of very heavy packet loss
Inferred Access Bandwidth of Individual Witty Infectees
Precise Bandwidth Estimation vs. Rates Measured by Telescope
srand(seed) { X seed }rand() { X X*214013 + 2531011; return X }
main()1. srand(get_tick_count());2. for(i=0;i<20,000;i++)
3. dest_ip rand()[0..15] || rand()[0..15]
4. dest_port rand()[0..15]
5. packetsize 768 + rand()[0..8]
6. packetcontents top-of-stack7. sendto()
8. if(open_physical_disk(rand()[13..15] ))
9. write(rand()[0..14] || 0x4e20) 10. goto 1 11. else goto 2
}4 calls to rand() per loop
} Plus one more every 20,000 packets, if disk open fails
} Or complete reseeding if not
Witty Infectee Reseeding Events
• For packets with state Xi and Xj:
– If from the same batch of 20,000 then
• j - i = 0 mod 4
– If from separate but adjacent batches, for which Witty did not reseed, then
• j - i = 1 mod 4 (but which of the 100s/1000s of intervening packets
marked the phase shift?)
– If from batches across which Witty reseeded, then no particular relationship.
We Know Intervals in Which Each First-Seed Packet Occurs ….
• … but which among the 1000s of candidates are the actual seeds?
• Entropy isn’t all that easy to come by …
• Consider
srand(get_tick_count())
i.e., uptime in msec
• The values used in repeated calls increase linearly with time
Slope = 1000/sec
X-intercept gives boot time
Uptime of 750 Witty Infectees
?
Uptime of 750 Witty Infectees
Given Exact Valuesof Seeds Used for Reseeding …
• … we know exact random # used at each subsequent disk-wipe test:
if(open_physical_disk(rand()[13..15] )
• … and its success, or failure, i.e., number of drives attached to each infectee …
• … and, more, generally, every packet each infectee sent
– Can compare this to when new infectees show up
– i.e. Who-Infected-Whom
Disk Drives Per Witty Infectee
0
10
20
30
40
50
60
1 2 3 4 5 6 7
% Infectees w/ # Drives?
Disk Drives Per Witty Infectee
0
10
20
30
40
50
60
1 2 3 4 5 6 7
% Infectees w/ # Drives
Given Exact Valuesof Seeds Used for Reseeding …
• … we know exact random # used at each subsequent disk-wipe test:
if(open_physical_disk(rand()[13..15] )
• … and its success, or failure, i.e., number of drives attached to each infectee …
• … and, more, generally, every packet each infectee sent
– Can compare this to when new infectees show up
– i.e. Who-Infected-Whom
Time Between Scan by Known Infectee and New Source Arrival At Telescope
Too Early
Too Late
Right on Time
Infection Attempts That WereToo Early, Too Late, or Just Right
Infector/Infectee Signature
Witty is Incomplete
• Recall that LCD PRNG generates a complete orbit over a permutation of 0..232-1.
• But: Witty author didn’t use all 32 bits of single PRNG value– dest_ip (Xi)[0..15] || (XI+1)[0..15]
– Knuth recommends top bits as having better pseudo-random properties
• But2: This does not generate a complete orbit!– Misses 10% of the address space
– Visits 10% of the addresses (exactly) twice
• So, were 10% of the potential infectees protected?
Time When Infectees Seen At Telescope
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Doubly-scanned infectees infected faster
Unscanned infectees still get infected!
In fact, some are infected Extremely Quickly!
How Can an Unscanned Infectee Become Infected?
• Multihomed host infected via another address
• DHCP or NAT aliasing
• But what about the extra-quick ones?
• Either they were passively infected and had large cross-sections
• Or they were known in advance to the attacker
Uptime of 750 Witty Infectees
Part of a group of 135 infectees from same /16
Time When Infectees Seen At Telescope
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Most also belong to that /16
Witty Started With A “Hit List”
• Initial infectees exhibit super-exponential growth they weren’t found by random scanning
• Large-scale passive infection unlikely
– Many in group numbered identically in adjacent /24’s
– If monitoring their local space, who-infected-whom shows too few probes into that space
• Prevalent /16 = U.S. military base
• Attacker knew of ISS security software installation at military site ISS insider (or ex-insider)
– Fits with very rapid development of worm after public vulnerability disclosure
Are All The Worms In Fact Executing Witty?
• Answer: No.
• There is one “infectee” that probes addresses not on the orbit.
• Each probe contains Witty contagion, but lacks randomized payload size.
• Shows up very near beginning of trace. Patient Zero - machine attacker used to launch
Witty. (Really, Patient Negative One.)
• European retail ISP.
• Information passed along to Law Enforcement.
Summary of WittyTelescope Analysis
• Understanding a measurement’s underlying structure adds enormous analytic power
• Cuts both ways: makes anonymization much harder than one would think
• I will never look at “random” number generation the same way …
• With enough effort, worm “attribution” can be possible
• Applications to: worm/worm-defense simulation; calibration of network telescope fidelity; large-scale measurement of Internet path properties; inferring firewall policies;opportunistic measurement.